NOTICE Guidance Notes for Anti-Money Laundering & Anti-Terrorist Financing (AML/ATF) Regulated Financial Institutions on AML/ATF

Transcription

1 1 st February 2016 NOTICE Guidance Notes for Anti-Money Laundering & Anti-Terrorist Financing (AML/ATF) Regulated Financial Institutions on AML/ATF BACKGROUND The Bermuda Monetary Authority (the Authority) has undertaken a review of the Guidance Notes for Anti-Money Laundering and Anti-Terrorism Financing (AML/ATF GN) to ensure compliance with the revised 40 recommendations that were published in 2012 by the Financial Action Task Force (FATF). In early 2014 the Authority reviewed the structure and efficacy of the AML/ATF GN, identified a number of gaps and made recommendations to improve the document. The AML/ATF GN needed to comply with the FATF recommendations, as well as reflect the changes made to the Bermuda AML/ATF Regulations which were passed in Bermuda s Parliament in December 2015 (and came into force on 1 st January 2016). The legislative changes ensure Bermuda can achieve technical compliance with the 40 FATF recommendations. The National Anti-Money Laundering Committee (NAMLC) had engaged industry regarding these changes during 2014 and Areas of concern raised by industry were few, but as they related to the Authority s supervisory oversight of financial services, the key areas were dealing with provisions covering enhanced due diligence and their recommendation that NAMLC or other competent authorities produce a list of higher risk countries, a clear definition in legislation on the role of the reporting and compliance officer, concern over the requirement for an independent audit function, and the identification of Politically Exposed Persons (PEPs). The revised AML/ATF GN took on board the aforementioned matters, as well as more guidance relating to interpretation and application of the Proceeds of Crime Act 1997 and the Proceeds of Crime (Anti-money Laundering and Anti-terrorist financing) Regulations 1998 and anti-terrorist sanctions and legislation, how to create a risk assessment taking into account threats and vulnerabilities, the risk rating of domestic PEPS, the requirement to produce an independent audit at least on an annual basis, and the requirement to appoint a compliance officer from institutions senior management. CONSULTATION The Authority is inviting comments from all stakeholders on the Guidance Notes for Anti- Money Laundering & Anti-Terrorist Financing (AML/ATF) Regulated Financial Institutions on AML/ATF.

2 The consultation period is 30 days and ends on 1 st March Comments should be sent to policy@bma.bm and include the words AML/ATF Guidance Notes in the subject of the e- mail. 2

3 BERMUDA MONETARY AUTHORITY GUIDANCE NOTES FOR ANTI-MONEY LAUNDERING & ANTI-TERRORIST FINANCING (AML/ATF) REGULATED FINANCIAL INSTITUTIONS ON AML/ATF 1 st FEBRUARY 2016 Pursuant to Proceeds of Crime ( Supervision & Enforcement) Act 2008 (Section 5(2)) Section 49A of the Proceeds of Crime Act 1997 and Section 12B of the Anti-Terrorism (Financial and Other Measures) Act 2004

4 CONTENTS TABLE OF ABBREVIATIONS AND ACRONYMS... 2 PREFACE... 3 CHAPTER 1 - SENIOR MANAGEMENT RESPONSIBILITIES AND INTERNAL CONTROLS CHAPTER 2 - RISK-BASED APPROACH CHAPTER 3 - OVERVIEW OF CUSTOMER DUE DILIGENCE CHAPTER 4 - STANDARD CUSTOMER DUE DILIGENCE MEASURES CHAPTER 5 - NON-STANDARD CUSTOMER DUE DILIGENCE MEASURES CHAPTER 6 - INTERNATIONAL SANCTIONS CHAPTER 7 - ON-GOING MONITORING CHAPTER 8 - WIRE TRANSFERS CHAPTER 9 - SUSPICIOUS ACTIVITY REPORTING CHAPTER 10 - EMPLOYEE TRAINING AND AWARENESS CHAPTER 11 - RECORD-KEEPING ANNEX I - SECTOR-SPECIFIC GUIDANCE NOTES FOR TRUST BUSINESS ANNEX II - SECTOR-SPECIFIC GUIDANCE NOTES FOR INSURANCE BUSINESS ANNEX III -SECTOR-SPECIFIC GUIDANCE NOTES FOR INVESTMENT BUSINESS ANNEX IV - RISK FACTORS FOR POLITICALLY EXPOSED PERSONS ANNEX V - REGULATORY AND SUPERVISORY RESPONSIBILITIES IN BERMUDA

5 TABLE OF ABBREVIATIONS AND ACRONYMS AML/ATF Anti-Money Laundering and Anti-Terrorism Financing ATFA Anti-Terrorism (Financial and Other Measures) Act 2004 ATM Automated teller machine BACS Bankers Automated Clearing Services BCBS Basel Committee on Banking Supervision BEI Business entity identifier BIC Bank identifier code BMA Bermuda Monetary Authority CDD Customer due diligence CHAPS Clearing House Automated Payment System FATF Financial Action Task Force FIA Financial Intelligence Agency IAIS International Association of Insurance Supervisors IBAN International bank account number IOSCO International Organisation of Securities Commissions IT Information technology LEI Legal entity identifier ML/TF Money laundering and terrorist financing MT Message type NAMLC National Anti-Money Laundering Committee NPM New payment method Orders Overseas Territories Orders in Council PEP Politically exposed person POCA Proceeds of Crime Act 1997 PSP Payment service provider Regulations Proceeds of Crime (Money Laundering) Regulations 1998 RFI Regulated financial institution SAR Suspicious Activity Report SEA Act Proceeds of Crime (Anti-Money Laundering and Anti-Terrorist Financing Supervision and Enforcement) Act 2008 SWIFT Society for Worldwide Interbank Financial Telecommunication UN United Nations 2

6 PREFACE 1. Bermuda has long-standing obligations for regulated financial institutions (RFIs) to maintain effective procedures to prevent and detect money laundering and terrorism financing (ML/TF). The offence of money laundering was first set out in the Proceeds of Crime Act 1997 (POCA 1997). Requirements to combat terrorism financing were first included in the Anti-Terrorism (Financial and Other Measures) Act 2004 (ATFA 2004). The original obligations for RFIs were established in the Proceeds of Crime (Money Laundering) Regulations Those regulations were repealed and replaced by the Proceeds of Crime (Anti- Money Laundering and Anti-Terrorist Financing) Regulations 2008 (the Regulations). 2. The Acts and Regulations described above established a new regulatory regime. The Financial Intelligence Agency Act 2007 created the Financial Intelligence Agency to receive and analyse suspicious activity reports. The Proceeds of Crime ( Supervision and Enforcement) Act 2008 designated the Bermuda Monetary Authority (the BMA or Authority) as the supervisory body empowered to secure institutions compliance with the Regulations, and obliges the Authority to publish the Guidance Notes. The National Anti-Money Laundering Committee (NAMLC), established under Section 49 of POCA 1997, plays an important role in developing Bermuda s national plan of action to combat money laundering and advises on the making of the anti-money laundering and anti-terrorist financing (AML/ATF) legislative framework. Additional information is available at 3. Following an International Monetary Fund review of Bermuda in mid-2007 and a 2012 revision to the Financial Action Task Force (FATF) Recommendations, further amendments to the Regulations were adopted in To assist RFIs in understanding and complying with Bermuda s AML/ATF Acts and Regulations, the Authority issued comprehensive guidance notes for AML/ATF-regulated financial institutions in January 1998 and October The Authority also issued AML/ATF Guidance Notes pertaining to wire transfers in October 2010 and trust business in February These Guidance Notes, issued in 2016, replace and supersede both sets of earlier Guidance Notes. 5. Bermuda recognises that its regulatory system is part of the global fight against 3

7 ML/TF and other financial crime. Bermuda also acknowledges the need for all jurisdictions to operate their regulatory regimes cooperatively and compatibly with one another; doing so promotes an internationally level playing field for legitimate transactions while narrowing opportunities for ML/TF without detection. Purpose and scope of these Guidance Notes 6. The purpose of these Guidance Notes is to assist AML/ATF regulated financial institutions to comply with Bermuda s AML/ATF legal and regulatory framework. The Guidance Notes: Outline the AML/ATF legal and regulatory framework for Bermuda institutions; Interpret the requirements of the relevant Acts and Regulations, including how implementation may be achieved in practice; Indicate good industry practice in the application of AML/ATF procedures using a proportionate, risk-based approach; Assist institutions in mitigating the risks of being used in connection with ML/TF; and Assist in detailing criteria to be followed by all Bermuda institutions where there is knowledge, suspicion or reasonable grounds to suspect ML/TF. 7. Against the backdrop of Bermuda s AML/ATF laws and regulations, these Guidance Notes set out guidelines for Bermuda institutions operating both in and outside Bermuda, and their directors, officers and employees. 8. This document provides guidance to institutions on: The responsibilities of senior management and internal controls (Chapter 1); The risk-based approach (Chapter 2); The application of standard and non-standard customer due diligence measures (Chapters 3, 4 and 5); Sanctions regimes (Chapter 6); On-going monitoring (Chapter 7); Wire transfers (Chapter 8); Suspicious activity reporting (Chapter 9); Employee training and awareness (Chapter 10); and Record-keeping (Chapter 11). 4

8 What is money laundering? 9. Money laundering is the process by which illegitimate or criminally derived money is made to appear legitimate. This result is achieved through a series of financial transactions designed to conceal the identity, source and/or destination of the criminally derived money. The process uses legal channels to conceal the criminal origins of illegal funds. 10. Money laundering generally involves three independent but sometimes simultaneous stages: 1. Placement: The physical placement or insertion of illegal money into the legitimate financial system. This stage deals primarily with cash proceeds of crime. 2. Layering: Separating the proceeds of criminal activity from their true origins by putting them through several layers of financial transactions. 3. Integration: This is the final stage of money laundering in which the criminal proceeds re-enter the legitimate economy, appearing to be derived from a legitimate source. 11. Under Bermuda law, money laundering involves the proceeds from any criminal conduct or any terrorist property. Criminal conduct includes all offences triable on indictment before the Supreme Court. Criminal conduct also includes all offences outside Bermuda that, had they occurred in Bermuda, would be triable on indictment before the Supreme Court. For more information, see Section 3 of the Proceeds of Crime Act 1997 and Section 8 of the Anti-Terrorism (Financial and Other Measures) Act The activities carried out at all stages of the money laundering process are criminalised under Bermuda laws by virtue of Sections 43 through 45 of POCA 1997 and Section 8 of ATFA Sections 32, 33 and 230 of the Criminal Code also criminalise any attempt, conspiracy or incitement to commit any such offence. 13. Specific money laundering offences under Bermuda law include: Concealing or transferring proceeds of criminal conduct; Assisting another to retain proceeds of criminal conduct; and Acquisition, possession or use of proceeds of criminal conduct. 5

9 14. In addition, Sections of POCA 1997 criminalise the following acts: Failure to disclose to the Financial Intelligence Agency (FIA) knowledge or suspicion of money laundering; and Tipping off a person other than the FIA by disclosing information likely to prejudice an investigation into money laundering. 15. Examples of money laundering include: Attempting to turn money raised through criminal activity into legitimate or clean money; Involvement with any criminal or terrorist property, or entering into arrangements to facilitate the retention or control of criminal or terrorist property; and The investment of proceeds of crime in further criminal activity or in financial products and services. 16. Regardless of whether money laundering actually takes place, it is also a separate offence under the Regulations for institutions to fail to establish adequate and proportionate policies and procedures to prevent and detect money laundering. 17. The techniques used by money launderers constantly evolve, responding to the source, type and amount of funds to be laundered, and to the legislative, regulatory and law enforcement environment of the market in which the money launderer wishes to operate. Techniques employed may be local to a municipality, or they may be practiced commonly around the globe. One source of guidance on global money laundering methods is available at What is terrorism financing? 18. Terrorism financing is the direct or indirect solicitation, collection or provision of financial or other material assistance for terrorism or for terrorist organisations or persons who encourage, plan or engage in terrorism. 19. Terrorism financing could involve funds raised from legitimate sources, such as personal or institutional donations and profits from businesses, or funds from criminal sources, such as the drug trade, arms smuggling, fraud, abduction and 6

10 corruption. The primary objective of persons seeking to finance terrorism is not to conceal the source of funds, but to conceal the financing and the terrorist nature of the financed activity. 20. Terrorists and terrorist groups may have established links with organised crime groups and may use those links to move funds through the same channels as money launderers. Larger, property-owning terrorist groups may operate similarly to organised crime groups or governments, raising funds through various processes, including forms of taxation. Other groups and individuals, however, may operate on a smaller scale, but nonetheless with devastating effect. Terrorism financing has two notable features: Terrorists are often funded from legitimately obtained income, including charitable donations and business profits; and Individual terrorist acts have been carried out using relatively small sums of money. 21. In seeking to evade detection by the authorities and to protect the identity of the ultimate beneficiaries, persons involved in terrorism financing use techniques similar to those employed by money launderers. Affected institutions have substantively the same duty to combat terrorism financing as they do to prevent money laundering. 22. The various activities involved in terrorism financing are criminalised by virtue of Sections 5 through 8 of ATFA Sections 32, 33 and 230 of the Criminal Code also criminalise any attempt, conspiracy or incitement to commit any such offence. 23. Specific terrorism financing offences under Bermuda law include: Fund raising for the purposes of terrorism; Soliciting, collecting or providing money or other property for the purposes of financing terrorist organisations or financing persons participating in terrorism; Using or possessing money or other property that is intended to be used for the purposes of terrorism; and Participating in arrangements to make money or property available for the purpose of terrorism. 7

11 24. In addition, ATFA 2004 criminalises the following acts: Failure to disclose to the FIA knowledge or suspicion of terrorist financing; and Tipping off a person other than the FIA by disclosing information likely to prejudice an investigation into terrorist financing. 25. Examples of terrorism financing include: Soliciting donations to a terrorist organisation; Purchasing antiquities or natural resources from a terrorist organisation; and Providing support to terrorist organisations. 26. Regardless of whether or not money laundering actually takes place, it is also a separate offence under the Regulations for institutions to fail to establish adequate and proportionate policies and procedures to prevent and detect terrorist financing. 27. Bermuda law criminalises the financing of terrorist actions that occur both in and outside Bermuda. Bermuda law also criminalises the financing of terrorist actions by both individuals and legal entities. 28. An important component of Bermuda s anti-terrorism financing system is the implementation of international sanctions against groups, entities and individuals designated as terrorists. For more information on international sanctions, see Chapter 6: Sanctions Regimes. Who does the guidance address? 29. These Guidance Notes are addressed to AML/ATF-regulated financial institutions within the meaning of Section 2(1) of the Proceeds of Crime (Anti-Money Laundering and Anti-Terrorist Financing Supervision and Enforcement) Act 2008 (SEA Act 2008). Approved by the Minister of Justice, these Guidance Notes are issued by the Authority under Section 5(2) of the SEA Act 2008, Section 49A of POCA 1997, and Section 12B of ATFA These Guidance Notes are of direct relevance to all senior management, inclusive of the compliance officer, and reporting officers in institutions. The primary purpose of the notes is to provide guidance to those who set the 8

12 institution s risk management policies and procedures for the prevention and detection of ML/TF. 31. Although the guidance will be relevant to operational areas, it is expected that these areas will be directed primarily by the institution s own detailed and specific internal arrangements, tailored by senior management to mitigate the risks identified by the institution s own risk assessment processes. Status of the guidance 32. The Court, or the Authority, as the case may be, in determining whether a person is in breach of a relevant provision of the Acts or Regulations, is required to consider whether a person has followed any relevant guidance approved by the Minister of Justice and issued by the Authority. Requirements of the Court and the Authority are detailed in the provisions of Section 49A of POCA 1997, regulation 19(2) of the Regulations, Section 12(B) of, and paragraph 1(6) of Part I of Schedule I to ATFA 2004 and Section 20(6) of the SEA Act Departures from this guidance, and the rationale for so doing, should be documented, and institutions should stand prepared to justify departures to authorities such as the BMA. How should the guidance be used? 34. This guidance interprets the laws and regulations of Bermuda to assist institutions in meeting their AML/ATF obligations. The Guidance Notes do not address every requirement. Institutions must therefore rely first and foremost on the laws and regulations themselves. 35. These Guidance Notes are not intended to provide an exhaustive account of appropriate and effective policies, procedures and controls to prevent and detect ML/TF. 36. Each institution must assess the ML/TF risks to which it is exposed, and tailor its AML/ATF policies, procedures and controls to ensure adequate and proportionate mitigation of all risks. 37. The Authority expects institutions that it supervises to address their risk management in a thoughtful and considered way, and to establish and maintain policies, procedures and controls that are appropriate and proportionate to the 9

13 risks identified. 38. Although these Guidance Notes generally provide a sound basis for institutions to meet their legal and regulatory obligations, effective risk mitigation may require additional measures beyond those set forth herein. 39. When a provision of the Acts or Regulations is directly described in the text of the guidance, the Guidance Notes use the term must to indicate that the provision is mandatory. 40. In other cases, the guidance uses the term should to indicate ways in which the requirements of the Acts or Regulations may be satisfied, while allowing for alternative means, provided that those alternatives effectively accomplish the same objectives. 10

14 CHAPTER 1 - SENIOR MANAGEMENT RESPONSIBILITIES AND INTERNAL CONTROLS Introduction 1.1 This chapter provides guidance for senior management to establish AML/ATF policies and procedures in line with the Acts and Regulations of Bermuda. 1.2 The responsibilities for senior management of a Regulated Financial Institution (RFI) are governed primarily by the Proceeds of Crime Act 1997, Proceeds of Crime ( Supervision and Enforcement) Act 2008, Anti-Terrorism (Financial and Other Measures) Act 2004, and Regulations 16, 17 and This chapter also provides guidance on internal controls relating to financial sector group policies, employee screening and independent auditing that are appropriate for an RFI to meet its obligations under the AML/ATF Acts and Regulations. 1.4 The internal control requirements for RFIs are governed primarily by Regulations 12, 16 and An RFI s involvement in money laundering or terrorism financing (ML/TF), whether intentional, knowing, inadvertent or negligent, creates legal, regulatory and reputational risks. 1.6 Under the Acts and Regulations of Bermuda, senior management must ensure that the RFI s policies, procedures and controls for preventing and detecting ML/TF are appropriately designed and implemented. The RFI s policies, procedures and controls must: Assess the ML/TF risks the RFI faces; Consider how those risks best can be addressed; and Effectively mitigate the risk of the RFI being used in connection with ML/TF. 1.7 Senior management must apply a risk-based approach for the purposes of preventing and detecting ML/TF. In doing so, RFIs may draw upon experience applying proportionate, risk-based policies across different aspects of its business. 11

15 1.8 Under a risk-based approach, RFIs should identify and assign risk ratings to their customers, products, services, transactions, delivery channels, outsourcing arrangements and geographic connections. AML/ATF policies, procedures and controls should be applied in a manner that allocates compliance resources in proportion to the risks identified; this approach is intended to increase effectiveness in a cost-effective manner. See Chapter 2: Risk-Based Approach. 1.9 Senior management should ensure that the RFI s risk ratings and risk management policies, procedures and controls are responsive to any information the Authority or other competent authority provides to the RFI with regard to Bermuda s ML/TF national risk assessment Senior management must be fully engaged in decision-making processes, and must take ownership of the risk-based approach. Senior management is accountable where the approach is determined to be inadequate. The AML/ATF framework in Bermuda 1.11 A full, up-to-date listing of Bermuda legislation is available at Key elements of the AML/ATF framework in Bermuda include: Revenue Act 1898 Criminal Code Act 1907 Criminal Justice (International Cooperation) (Bermuda) Act 1994 Proceeds of Crime Act 1997 Proceeds of Crime ( Supervision and Enforcement) Act 2008 Anti-Terrorism (Financial and Other Measures) Act 2004 Financial Intelligence Agency Act 2007 Proceeds of Crime () Regulations 2008 Proceeds of Crime Appeal Tribunal Regulations 2009 Proceeds of Crime (Designated Countries and Territories) Order 1998 The Extradition (Overseas Territories) Order 2002 Anti-Terrorism (Financial and Other Measures) (Business in Regulated Sector) Order

16 The Terrorist Asset-Freezing etc. Act 2010 (Overseas Territories) Order 2011 (An unofficial Consolidation of the Terrorist Asset-Freezing etc. Act 2010 and the above Order is provided on the website for ease of reference) Guidance Notes for AML/ATF Regulated Financial Institutions on Anti- Money Laundering & Anti-Terrorist Financing International Sanctions Act 2003 and International Sanctions Regulations The AML/ATF framework in Bermuda has been revised pursuant to the following international standards and requirements: The FATF Recommendations (as amended February 2012). UN Security Council Resolutions 1267 (1999), 1373 (2001), and subsequent resolutions 1333 (2000), 1390 (2002), 1455 (2003), 1526 (2004), 1617 (2005), 1735 (2006), 1822 (2008), 1904 (2009), 1989 (2011), 2083 (2012), and 2161 (2014) Bermuda RFIs may also find the following international regulatory pronouncements useful: Basel Committee on Banking Supervision (BCBS) Due Diligence and Transparency Regarding Cover Payment Messages Related to Cross-Border Wire Transfers (May 2009) Sound Management of Risks Related to Money Laundering and Financing of Terrorism (January 2014) International Association of Insurance Supervisors (IAIS) Guidance Paper 5 on Anti-Money Laundering and Combating the Financing of Terrorism (October 2004) Issues Paper on Combating Bribery and Corruption (October 2004) Examples of Money Laundering and Suspicious Transactions Involving Insurance (October 2014) International Organisation of Securities Commissions (IOSCO) Anti-Money Laundering Guidance for Collective Investment Schemes (October 2005) Wolfsberg AML Principles Available at 13

17 FATF Guidance Available at Extra-territorial matters 1.14 Where an RFI has a listing, or has activities in, or is linked to a country or territory other than Bermuda, whether through a branch, subsidiary, associated company or correspondent banking relationship, it is possible that, in addition to the Acts and Regulations of Bermuda, sanctions and AML/ATF measures of the other country or territory also apply to activities of the RFI. Senior management should obtain advice on the extent to which the RFI s activities may be affected in this manner. Regulatory priorities 1.15 No single Bermuda body has overall responsibility for combating money laundering or terrorist financing. The division of responsibilities is described in Appendix II Regulation of and guidance to RFIs is provided by the BMA The Regulations apply to a range of specified RFIs carrying on business in Bermuda. POCA 1997 and ATFA 2004 criminalise ML/TF, respectively. RFIs are now legally obliged to put in place effective measures to minimise the chance of involvement with the proceeds of any crime or any terrorist property The BMA s objectives are to use regulatory measures to: Monitor AML/ATF regulated financial institutions to ensure full compliance with Bermuda s legal and regulatory framework; Assist with the prevention and detection of financial crime; and Deter and disrupt criminal and terrorist activity by increasing the risk that perpetrators are apprehended, and by reducing the benefit perpetrators receive from their crimes In order to deliver these objectives successfully, the BMA s actions in this area are underpinned by three key organising principles: 14

18 Effectiveness Maximise the impact of AML/ATF measures on criminality and terrorism by: Building knowledge of commercially effective compliance strategies that drive continuous improvement; and Ensuring that all RFIs make full use of the opportunities provided by the Acts and Regulations to prevent and detect ML/TF. Proportionality Ensure that the benefits of intervention are justified and that they outweigh the costs by: Entrenching the risk-based approach. Engagement Work collaboratively in partnership with all stakeholders in Government and the private sector, both at home and abroad, in order to: Share data across the AML/ATF community to reduce harm; and Engage internationally to assist in delivery of a global solution to this global problem. General legal and regulatory obligations 1.20 For the purposes of these Guidance Notes, senior management refers to one or more of the following: The board of directors as a single decision-making body; One or more appropriate directors; A chief executive who, either alone or jointly with one or more persons, is responsible under the immediate authority of the directors for the conduct of the business of the RFI; A senior executive other than a chief executive who, under the immediate authority of a director or chief executive of the RFI, exercises managerial functions or is responsible for maintaining accounts or other records of the RFI Senior management in all RFIs must: Ensure compliance with the Acts and Regulations; Identify, assess and effectively mitigate the ML/TF risks to its customers, products, services, transactions, delivery channels, outsourcing arrangements and geographic connections; 15

19 Ensure that AML/ATF risk assessment framework remains relevant and appropriate given the RFI s risk profile; Appoint a Compliance Officer at the senior management level to oversee the establishment, maintenance and effectiveness of the RFI s AML/ATF policies, procedures and controls; Appoint a Reporting Officer to process disclosures; Screen employees against high standards; Ensure that adequate resources are devoted to the RFI s AML/ATF policies, procedures and controls; Audit and periodically test the RFI s AML/ATF policies, procedures and controls for effectiveness; and Recognise potential personal liability if legal obligations not met Senior management of any RFI is responsible for managing its business effectively. Certain obligations are placed on all RFIs subject to the Regulations; fulfilling these responsibilities falls to senior management as a whole. See Regulation The Regulations place a general obligation on RFIs to establish appropriate and risk-sensitive policies and procedures to prevent and detect ML/TF. An RFI that fails to comply with this obligation is subject to regulatory enforcement action. See Regulations 16 and 19(1) The offences of money laundering under POCA 1997 and the obligation to report knowledge or suspicion of possible money laundering affect all persons, not only RFIs. Similar offences and obligations under ATFA 2004 also affect all persons, not only RFIs. In addition, the Regulations require RFIs to take appropriate measures so that all relevant employees are made aware of the Acts and Regulations relating to ML/TF, and to regularly train them how to recognise and deal with transactions that may be related to money laundering or terrorism financing. See Regulations 17 and 18, Section 46 of POCA 1997, and Schedule 1 Part 1 of ATFA Where a corporate, partnership or unincorporated association is guilty of an offence under POCA 1997 and/or ATFA 2004 and that offence is proved to have been committed with the consent or connivance of, or due to negligence by, any director, manager, secretary or similar officer of the entity or any person who was purporting to act in any such capacity, he, as well as the legal entity, shall be guilty of that offence and shall be liable to be proceeded against and punished 16

20 accordingly. See Regulation 19(1), Section 56 of POCA 1997 and Section 5B of ATFA Criminal and civil penalties 1.26 RFIs should be aware that Regulation 19 provides that failure to comply with the requirements of specified Regulations is a criminal offence and carries with it significant penalties. On summary conviction, the penalty is a fine of up to $50,000. Where conviction occurs on indictment, penalties include a fine of up to $750,000, imprisonment for a term of two years, or both Section 20 of the Proceeds of Crime (Anti-Money Laundering and Anti-Terrorist Financing Supervision and Enforcement) Act 2008 empowers the BMA to impose a penalty on an AML/ATF-RFI of up to $500,000 for each failure to comply with specified Regulations. Total penalties therefore may be well above $500,000. For full details concerning the civil penalties process, see Chapter 4 of the Act. The Act also provides for criminal offences. For example, Section 33 creates offences, which carry significant penalties if convicted, whether summarily or on indictment. The offences include carrying on business without being registered pursuant to Section 9 of the Act. The BMA has published a Statement of Principles, which states its approach in exercising its powers Regulation 19(4) states that anyone convicted of an offence under Regulation 19 shall not also be liable to a civil fine imposed by or under any other statutory provision in relation to the same matter. Formal AML/ATF policy statement 1.29 Senior management should adopt and document a formal AML/ATF policy statement in relation to the prevention and detection of ML/TF The policy statement should state how senior management carries out its responsibility to ensure that the RFI s policies, procedures and controls are appropriately designed and implemented The policy statement should also set out how senior management undertakes its assessment of the ML/TF risks the RFI faces, and how these risks are to be managed. 17

21 1.32 A high level AML/ATF policy statement should focus employees on the need to be constantly aware of ML/TF risks, and how they are to be managed An effective AML/ATF policy will provide a framework of direction to the RFI and its employees, and will identify specific individuals and functions responsible for implementing particular aspects of the RFI s detailed policies, procedures and controls The policy statement might include, but not be limited to, such matters as: Guiding principles: An unequivocal statement of the culture and values that have been adopted by the RFI to prevent and detect financial crime; A commitment to hiring and retaining only those employees who follow the principles; A commitment to ensuring that employees are trained in an on-going and risksensitive manner and are knowledgeable about the Acts and Regulations and their obligations thereunder; A commitment to ensuring that the RFI accepts only those customers whose identity has been verified; A commitment to the RFI knowing its customers appropriately, both at the time of acceptance and throughout the business relationship, by taking appropriate steps to verify the customer s identity, verify beneficial ownership and understand the purpose and intended nature of the business relationship with the RFI; A commitment to periodic independent auditing to test the RFI s AML/ATF policies, procedures and controls; A commitment to address shortcomings in a timely manner; and A commitment that employees promptly report their suspicions internally. Risk mitigation procedures: A summary of the RFI s approach to assessing and managing its ML/TF risks, including a statement of the RFI s risk tolerance; Identification of specific individuals and functions responsible for implementing particular aspects of the RFI s detailed policies, procedures and controls; A summary of the RFI s procedures for carrying out appropriate identification, verification and monitoring checks on the basis of its risk methodologies; and 18

22 A summary of the appropriate monitoring arrangements in place to ensure that the RFI s policies, procedures and controls are being carried out effectively and remain proportional to evolving risk factors The policy statement should be tailored to the circumstances of the RFI. The use of a generic document is likely to reflect adversely on the level of consideration that senior management has given to the RFI s AML/ATF obligations and the ML/TF risks it faces. Compliance Officer and Reporting Officer 1.36 RFIs must appoint a Compliance Officer, who must be a member of senior management as defined in paragraph 1.20, and who must have the authority to: Oversee the establishment, maintenance and effectiveness of the RFI s AML/ATF policies, procedures and controls; Monitor compliance with the relevant Acts, Regulations and guidance; and Access all necessary records in a timely manner RFIs must also appoint a Reporting Officer with the authority to carry out the following duties: Receive suspicious activity disclosures from the RFI s employees; Access all necessary records in a timely manner; Make final determinations on whether disclosures should be reported to the FIA; and Where appropriate, make external reports to the FIA The Reporting Officer may be, but is not required to be a member of senior management. At a minimum, however, the Reporting Officer should be a qualified member of the RFI s staff Senior management of the RFI should ensure that the Reporting Officer has the autonomy to make a final decision as to whether to file a suspicious activity report The Reporting Officer should have direct access to the BMA and, where appropriate, law enforcement agencies, to ensure that any suspicious activity is properly reported as soon as is practicable. The Reporting Officer must be free to 19

23 liaise with the Financial Intelligence Agency on any question of whether to proceed with a transaction Senior management of the RFI should ensure that the Reporting Officer has sufficient resources, including time, employees and technology and direct access to and support from senior management. In the case of the Reporting Officer s absence, arrangements should be made to ensure proper coverage of duties, and awareness among employees of any changes to the procedures to follow when suspicion arises Senior management of the RFI should ensure that the Reporting Officer has timely access to the RFI s relevant business information, including, but not limited to: Customer due diligence and on-going monitoring records; and Transaction details The Compliance Officer and Reporting Officer may be the same individual Where they are not the same person, the Compliance Officer and the Reporting Officer should maintain open lines of communication and understand each other s role and responsibilities. The relationship should be clearly defined and documented Depending on the size of the RFI, or by the structure of a financial sector group, the duties of the Compliance Officer and/or Reporting Officer may be delegated to additional senior, appropriately qualified individuals within the RFI or group. The appointment of one or more permanent deputy Reporting Officers may also be necessary. In these cases, the principal or group Reporting Officer should ensure that roles and responsibilities are clearly defined, and that employees know where to direct reports of suspicions Senior management should ensure that all relevant employees of the RFI are aware of the identity of the Reporting Officer and any deputies, and that all relevant employees are aware of the procedures to follow when suspicion arises The role, standing and competence of the Compliance Officer and the Reporting Officer, and the manner in which the RFI s policies, procedures and controls are designed and implemented, impact directly on the effectiveness of an RFI s 20

24 AML/ATF arrangements, and the degree to which the RFI is in compliance with the Acts and Regulations of Bermuda RFIs should notify the BMA of the name and contact information of the Compliance Officer, Reporting Officer and any deputies, and of any subsequent changes. Receipt of such information enhances the BMA s ability to communicate effectively with RFIs. Information should be sent via to: aml@bma.bm 1.49 For additional information regarding the duties of the Reporting Officer, see Chapter 9: Suspicious Activity Reporting. Periodic report 1.50 At least once a year, the Compliance Officer should report on the operation and effectiveness of the RFI s AML/ATF policies, procedures and controls. Senior management should determine the scope and frequency of information it feels is necessary to discharge its responsibilities; an RFI may determine that the Compliance Officer needs to report to senior management frequently The periodic report may include: The means by which the effectiveness of the RFI s policies, procedures and controls has been managed and tested; Identification of compliance deficiencies and details of action taken or proposed to address any such deficiencies; Failure to apply Bermuda requirements in branches and subsidiaries, any advice received from the BMA and details of action taken; The number of internal disclosures to the Reporting Officer and the number of subsequent external reports submitted to the FIA, any perceived deficiencies in internal or external reporting procedures, and the nature of action taken or proposed to address such deficiencies, such as customer due diligence reviews, on-going monitoring reviews/projects, AML/ATF training taken by the Compliance Officer and/or Reporting Officer; Information concerning the training programme for the preceding year, which employees have received training, the methods of training and the nature of the training; Changes made or proposed in respect of new or revised Acts, Regulations or guidance; 21

25 A summary of risk assessments conducted or updated with regard to customers, products, services, transactions, delivery channels, outsourcing arrangements and geographic connections. The nature of actions taken with regards to jurisdictions that do not sufficiently apply the FATF Recommendations, or which are the subject of international countermeasures, and the measures taken to manage and monitor business relationships connected with such jurisdictions; and Any recommendations concerning additional resource requirements to ensure effective compliance with the RFI s statutory and regulatory obligations Where an RFI is part of a group or involved in multiple jurisdictions, a consolidated report may be appropriate At the time senior management receives a report on the operation and effectiveness of the RFI s AML/ATF policies, procedures and controls, it should consider the report and take any and all necessary actions in a timely manner to remedy any deficiencies identified. Internal controls 1.54 In addition to a formal AML/ATF policy statement, RFIs must establish and maintain detailed policies, procedures and controls that are adequate and appropriate to forestall and prevent operations related to ML/TF All such policies, procedures and controls must be risk sensitive, based on a variety of factors, including: The nature, scale and complexity of the RFI s business; The diversity of its operations, including the RFI s geographical connections; Its customers; Its products, services, and delivery channels; Its transactions, including their volume and size; and The degree of risk assessed in each area of its operation More specific requirements for an RFI s detailed policies, procedures and controls are set forth in Chapters 2 through 11 of these guidance notes. 22

26 Application of group policies 1.57 Where a Bermuda RFI has branches, subsidiaries or representative offices located in a country or territory other than Bermuda, it must communicate its AML/ATF policies and procedures to all such entities Bermuda RFIs must also ensure that all branches, subsidiaries and representative offices located outside Bermuda apply AML/ATF measures at least equivalent to those set out in the Acts and Regulations To accomplish paragraphs 1.57 and 1.58 above, RFIs should consider adopting group-wide AML/ATF policies and procedures A financial sector group s policies and procedures must provide for the groupwide sharing of information required for the purposes of Customer Due Diligence (CDD), ongoing monitoring, record-keeping and other ML/TF risk management policies, procedures and controls Group-level AML/ATF functions should be provided with customer, account and transaction information from branches and subsidiaries where required for AML/ATF purposes RFIs should establish and maintain adequate safeguards on the confidentiality and use of the information exchanged Individual RFIs and financial sector groups should have access to customer, account and transaction information from branches and subsidiaries where necessary for the purposes of on-going monitoring Where operational activities of a Bermuda RFI are undertaken by employees in other jurisdictions, those employees should be subject to the same AML/ATF policies and procedures applied to Bermuda employees. Senior management should ensure that all suspicious transactions or activities linked with a Bermuda RFI or Bermuda person are reported to the Reporting Officer in Bermuda Where the AML/ATF standards in the country or territory hosting a branch or subsidiary are more rigorous than those required by the Acts and Regulations, RFIs should ensure that those higher standards are implemented. 23

27 1.66 Where the law of a country or territory other than Bermuda does not permit the application of AML/ATF measures at least equivalent to those in Bermuda, the RFI must inform the BMA accordingly, and must take additional measures to effectively manage the risks of ML/TF. See Regulation 12(2) RFIs that have informed the BMA that the law of a country or territory other than Bermuda does not permit the application of AML/ATF measures at least equivalent to those in Bermuda should follow any advice, recommendations or directions from the BMA as to the action to take Where an RFI finds that additional measures are insufficient for the purposes of effectively mitigating the risks of ML/TF, and particularly where effective AML/ATF policies, procedures or controls are likely to be impeded by confidentiality, secrecy, privacy or data protection restrictions, RFIs must inform the BMA, which may require that the relationship be terminated. The RFI should follow any advice, recommendations or directions the BMA or other competent authority provides as to the action to take Additional guidance regarding reliance on third parties and outsourcing arrangements is contained in Chapter 5: Non-Standard Customer Due Diligence Measures. Employee screening 1.70 An RFI s AML/ATF policies and procedures must require relevant employees to be screened against high standards as noted below For the purposes of these guidance notes, the term employee includes any person working for an RFI, including persons working under a contract of employment and persons working under a contract for services. A relevant employee is one who: At any time in the course of his duties has or may have access to any information which may be relevant in determining whether funds or assets are the proceeds of crime, or that a person is involved in money laundering or terrorist financing; or At any time plays a role in implementing and monitoring compliance with AML/ATF requirements. 24

28 1.72 Where employees of any third parties carry out work in relation to an RFI under an outsourcing agreement, the RFI should have procedures to satisfy itself as to the effectiveness of the screening procedures of the third party in ensuring employee competence and probity To ensure that employees are of the standard of competence and probity proper for their role, RFIs should: Request and verify appropriate references for the employee at the time of recruitment; Verify the employee s employment history, qualifications and professional memberships; Request and verify the details of any regulatory action taken against the employee, or any action taken by a professional body; Request and verify the details of any criminal convictions, or the absence of any such convictions by, e.g. requesting a police report from the appropriate jurisdiction(s); Consult the most up-to-date lists of specified countries and persons against whom sanctions have been imposed by the United Nations, the European Union or other relevant body or jurisdiction on the grounds of suspected or known involvement in terrorist or other illegal activity RFIs should document, or record electronically, the steps taken to satisfy these requirements, including the information and verifications obtained. RFIs should also document, or record electronically, any situation where an employee has been hired despite the RFI s inability to obtain all relevant information. In such cases, RFIs should include the reasons why all relevant information was not obtained, an appropriate risk-based rationale for the exception, and details regarding alternative screening methods undertaken. All related records should be retained in accordance with the guidance provided in Chapter 11: Record Keeping. Independent audit 1.75 The independent audit function should provide for an internal audit of the RFI s AML/ATF policies, procedures and controls. RFIs should conduct an audit to monitor and sample test the implementation, integrity and effectiveness of their AML/ATF policies, procedures and controls on a regular basis. This means at least once a year and more frequently when senior management becomes aware of 25

29 any gap or weakness in the AML/ATF policies, procedures or controls, or when senior management deems it necessary due to the RFI s assessment of the risks it faces Where appropriate, having regard to the risk of ML/TF and the size of the business, the audit may be undertaken by the compliance and internal auditing departments. The audit should be adequately resourced to help ensure AML/ATF compliance and it should be carried out independently of any general audit. The independent audit does not require the establishment of a separate dedicated department or section, only that the audit itself is sufficiently separate and distinct, focused solely on AML/ATF matters and not found within the general audit The audit function should: Evaluate the risk ratings the RFI has assigned with respect to its size, customers, products, services, transactions, delivery channels, outsourcing arrangements and geographic connections; Assess the adequacy of the RFI s AML/ATF policies, procedures and controls including: o Risk assessment; o Customer due diligence; o Risk mitigation and other measures to manage higher risks; o On-going monitoring; o Detecting and reporting suspicious activity; o Record-keeping and retention; and o Reliance and outsourcing relationships; Test compliance with the relevant laws and regulations; Test the AML/ATF controls for the RFI s transactions and activities, with an emphasis on higher-risk areas; Assess employees knowledge of the relevant Bermuda Acts, Regulations and guidance, the RFI s policies and procedures and the role of each employee within the RFI; and Assess the adequacy, accuracy and completeness of employee training and awareness programmes The audit should be documented, or recorded electronically, and retained in accordance with the guidance provided in Chapter